FINALLY! The VPN Configuration I've Been Looking For!

There is also cloudflare’s “zero trust”. It doesnt block trackers and ads, but it supports custom rules and many more…
I am running it for 2 months and find it better than nextdns.

just watched the video.
sounds glorious.
can you provide a link to ivpn?
there seems to be about 26 websites that have ivpn in their url

Great shoutout for IVPN, and thanks for bringing that feature to light. On iOS I’ve been using Proton, and just Proton. I kept having issues with other VPN (never mind VPN+DNS) solutions on iOS (similar to Henry), and that’s why I stuck with Proton, for so long (it’s literally the only device I’m using ProtonVPN for). Proton and their NetShield, just worked. I already have an IVPN account, so I’m so glad to hear about this functionality, and you had no issues with it. I feel like last time I checked, this feature did not exist… but I’m so glad that’s changed.

For those on Android, this shouldn’t really have been a problem for you. Go into your settings app, look at your Connections, and there should be an option (somewhere in there) for “Private DNS”. Really good feature that Android has had for a long time.

Settings > Network & Internet > Private DNS.

CalyxOS is default Automatic.

GrapheneOS also has the Private DNS option, but it’s recommended not to use it with a VPN.

It can be extremely easy to track users who deviate from the default DNS used by the VPN provider, any website can force you to do a DNS lookup and use that to learn which DNS you use.

CalyxOS, has Private DNS options:
Off
Cloudflare DNS
Automatic
Private Provider Hostname

I have been using ProtonVPN and the automatic option.

I’ve been using IVPN and have liked it better than any other VPN. Mullvad had too many server issues but IVPN is rock solid so far. So this video got me excited but I’m having an issue that hopefuly someone can help me with.

Imagepipe_4987×2138 62.8 KB

This is the IVPN client from Fdroid on GrapheneOS. AS you can see I don’t have all of the same options as Henry’s iPhone in the video and that I have been using Quad9.

IVPN’s website states this:
“The iOS app also supports DNS-over-HTTPS and DNS-over-TLS for queries when the VPN is connected or disconnected. These settings are available in the app’s Settings area.”

Would this option specific to iOS be the setting that would allow NextDNS to be added as a custom DNS to IVPN on Android if the setting existed? Is there something else I’m not understanding? Does is make a difference if I add NextDNS via the “Private DNS” option within Android settings?

I did get NextDNS to work on my desktop client and on OpenWRT no problem and it’s awesome so far.

Are you saying that a private DNS shouldn’t be used under the “Private DNS” setting or also for changing the DNS provider within a VPN app as well?

There is no way to prevent a website from learning which DNS you are using, your combination of VPN and DNS can be a very strong fingerprint that can be used to track you.

The standard recommendation is to not change the DNS when using a VPN, if you don’t change the DNS you are just a random person using that VPN provider, if you change the DNS worse case scenario is that you reduce yourself to a party of one.

I see what you’re saying. It would be helpful if you could see how many people using a particular VPN were also using a particular DNS provider. Thanks

So I just updated the pinned comment and description of the video to reflect this mistake.

I misread this statement on their site as “iOS also supports DoH & DoT” (as Android does as well - again, incorrect assumption) - then “for queries when the VPN is connected or disconnected.” (Which is what I thought was the feature difference between iOS & Android)

I’ll do some testing to see if the Privacy DoH setting built natively into Android is honored when connected to a VPN. But it does seem like two mistakes have been made now:

hm1772×702 38.3 KB

• Mullvad DOES support custom DNS on iOS (Though not DoH) - when their own website actively says custom DNS is not supported on iOS.
• And I misread IVPN’s FAQ to think that DoH was natively supported on Android (when it isn’t) - and now I need to see if the DNS option within Android plays nicely with it.

Thanks for the reply and pinning that comment. I just made some adjustments. I added my NextDNS to my Private DNS setting within my Android settings and also kept my custom DNS setting for Quad9 active within the IVPN app. Then I checked via DNS Leak Test and infact the Android setting overwrites the IVPN app for my DNS provider. So now NextDNS is my active provider. It did however take DNS Leak Test a lot longer to verify my DNS provider with this setup for some reason.

So should we not do what Henry is saying? Even though it is a unique fingerprint it seems that it stops a lot of tracking, ads, etc.

Yeah, I’m a little confused about this. I didn’t know that selecting a custom DNS option from your VPN could also fingerprint you. How does that work?

Apps and web sites can detect the configured DNS servers by generating random subdomains resolved by querying their authoritative DNS server. This can be used as part of fingerprinting users. If you’re using a VPN, you should consider using the standard DNS service provided by the VPN service to avoid standing out from other users.

Seems like a concern that doesn’t necessarily apply to all users and what they’re chasing for on their privacy & security journey - but a good one to know nonetheless

Just a general PSA, I’m currently in the process of pushing a v2(ish) video on this as a video diving deeper into these other VPNs and actually testing their offerings rather than relying on their websites and publicly available information. Trying to get that pushed ASAP so that there is some more context around this whole situation.

So how to combine Netguard + Nextdns + Vpn on android???

This concern is worth noting, but I think that most people don’t need to worry about it. If fingerprinting is part of your threat model, you should really be using the Tor Browser. Yes, Brave and Firefox both have browser fingerprinting mitigations, and while these are improving with time, it is still relatively trivial for a website to fingerprint its visitors if they want to without ever looking at an IP address or the DNS resolver. Adding the extra uniqueness of a custom VPN+DNS combination probably isn’t making things significantly worse for most.